Flowing DFARS and CMMC Down to Subcontractors

Three clauses do most of the work:

• DFARS 252.204-7012 (m) — if you share CDI with a subcontractor, you must include the full text of 7012 in their subcontract without alteration. That binds the sub to NIST 800-171 implementation and 72-hour incident reporting.
• DFARS 252.204-7020 (g) — you cannot award a CUI subcontract unless the sub has completed a NIST 800-171 self-assessment and posted the score to SPRS within the last three years. 7020 also flows down.
• CMMC 2.0 (32 CFR § 170.23 and DFARS 252.204-7021) — primes must identify which subs handle FCI vs. CUI and flow the appropriate CMMC level. Verify certification before award.

Knowingly awarding work to a non-compliant sub exposes the prime to False Claims Act liability — treble damages and per-claim civil penalties. The DoJ's Civil Cyber-Fraud Initiative actively pursues these cases.

Flow-downs follow the data, not the dollar value. Map where FCI and CUI travel.

• CMMC Level 2 (CUI flow): machine shops receiving ITAR drawings, engineering firms running simulations on sensitive designs, software developers writing code for DoD systems, cloud providers hosting your CUI environment.
• CMMC Level 1 (FCI flow only): staffing agencies on the program, non-sensitive logistics vendors, IT support for non-CUI corporate systems.
• Out of scope: unmodified COTS suppliers and truly incidental services (drinking-water delivery, landscaping).

Pasting the DFARS clauses is the baseline, not the goal. Strong T&Cs and POs go further:

• Explicit CMMC requirement on the PO — e.g., "Subcontractor must hold a valid CMMC Level 2 certification from an accredited C3PAO prior to commencement of work."
• Verification rights — the right to request the SSP, SPRS score, or certification letter, and to audit the sub's environment.
• Incident reporting protocols — name the prime's ISSM and a maximum notification window (e.g., 24 hours of discovery), in addition to the sub's independent DIBNet obligation.
• Indemnification for breaches, contract termination, or FCA exposure caused by the sub's non-compliance.

You cannot accept "we're compliant" at face value. Standardized tools like Exostar's Cybersecurity Compliance and Risk Assessment (CCRA) are widely used; if you don't use Exostar, build your own structured questionnaire. At minimum ask:

• Current SPRS score and assessment date.
• Whether all 110 NIST 800-171 requirements are implemented; if not, how many on POA&M and target completion dates.
• Cloud environment for CUI (FedRAMP Moderate equivalent?).
• Whether the IR plan covers DFARS 7012 reporting.
• Any cyber incidents in the past 12 months involving CDI.
• ITAR/EAR residency and access controls, where applicable.

Require executive signature on the questionnaire. A signed attestation creates real accountability and useful evidence if the relationship later becomes subject to FCA scrutiny.

Cross-check the SPRS score: primes can request a screenshot of the sub's SPRS entry. A high SPRS score with a red CCRA rating is a strong signal the score is inflated.

Compliance is not a one-time check. Staff change, systems drift, attention slips. Re-run the questionnaire annually, require immediate notification of material changes, and for the highest-risk subs add annual evidence reviews or on-site visits.

• Help them get there. For critical suppliers willing to invest, share policy templates, recommend qualified consultants, or co-build a compliant enclave.
• Change the data flow. Send a redacted spec instead of the full technical drawing where the sub only needs dimensions; less CUI in their environment means lower compliance burden.
• Use a secure portal. Host the data in your compliant boundary (GCC High SharePoint, PreVeil) and have the sub work inside it — CUI never lands on their network.
• Terminate. If the sub refuses to comply and the data flow can't be changed, find a new supplier. Lockheed Martin, Boeing, RTX, Northrop Grumman, and General Dynamics are already cutting non-compliant vendors from active programs.